Related branches

Related bugs

Sprints

Whiteboard

Work items:
[kees] deroot auditd, get into main: POSTPONED
[kees] re-submit gcc testsuite updates (part 2) to upstream: TODO
[kees] document in the wiki how to use hardening-includes: DONE
[kees] update packages that currently use hardening-wrapper to use hardening-includes: POSTPONED
[kees] write a lintian info script that checks for hardening when hardening-includes/wrapper is in the build-deps: POSTPONED

From gobby notes from the morning meetings of Maverick UDS:
Day 1
-----
Introductions

Open round table topics

Cautious launcher feels broken with wine (https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required)
* needs to be translatable
* possibly use extended attributes and modify frefox and mail clients to say
when downloaded and from where so that cautious launcher can use that to
provide more information so people can make a better decision. Does this help
the process significantly?
* use clam automatically on the file
* feels broken (eg, CDROM are mounted ro with no execute, so can't launch it
in wine)
* generalized icon theme for the executable
- if .exe show embedded or something else
- if executable bit set
- file command
* Lots of experimentation this cycle about what kinds of dialogs help the user
- feel good that Ubuntu didn't run it to begin with
- make an informed decision
- not run things automatically
* Would be nice to make it easy to restrict Wine to a whitelist of apps
- example use case: corporate install that has a few apps from 90s that run in Wine for business but doesn't want users downloading random windows games.

Possibly use a container or sandbox to confine .sh files for games, etc (not
useful for things that need access to your data)

Maybe have specific type of container (akin to the guest session) specifically
for games

look into clamfs -- wine could be installed in it

maybe look into ways to confine wine apps generally (eg a business has to run
app X, so how can we confine app X generally (or at least easily (container,
apparmor, etc)
- could have wine confined by an apparmor profile and call out to a helper
program (wine-aa-helper) to change_profile() into it

wine apps offered through software center (could then have an apparmor profile)

utilize wine prefixes more rather than the traditional .wine folder

Maybe a generic apparmor profile that allows very limited access to files for
these types of files
- could have cautious launcher running under AppArmor and have it change_profile
to the .sh executable (could work, but problematic to not be too general)
- may not work with the .sh file is an installer
- cautious-launcher will need root privs to change_profile() -- (or a helper
like with libvirt)

Self-contained "live cd" container for .debs that could work with users without root
- example: world of goo provides .debs
- might help to have gui for what you provide the container (eg network access)
- be capabilities aware

Workitems:
- update cautious launcher to make it clear it's ubuntu not the app raising the dialog
- make cautious launcher translatable
- scan with clamscan if it is available (wine Recommends clam?)

Day 2
-----
* ted said mainly be concerned about unity and its interaction
* popcon talk captured in https://blueprints.launchpad.net/ubuntu/+spec/security-m-popcon
* mutter (clutter metacity) window manager is new, so check things like
screensaver operation.
* mozilla
- all the rdepends on xul go to -proposed by building on the mozilla ppa
- these will be copied to -proposed for wider testing then to both
-security and -updates
- anything depending on xul in older releases and is exposed to webcontent
needs a USN
- push lucid (-1) when ready and hardy and jaunty (-2) will be a week or two later
look at 354-1 and group all the rdepends on xul that is exposed to web
content in one USN (-3)
- tbird3 and seamonkey go to hardy and jaunty too. requires new NSS, but wait
on these